Community discussions

 
aproxx
just joined
Topic Author
Posts: 3
Joined: Thu Sep 12, 2019 11:38 am

Router on a Stick

Thu Sep 12, 2019 11:40 am

Hi,

I’ve brought a Mikrotik Router hEX PoE.

The „First-Step-Configuration“ ist pretty easy to handle.

But I need some help for a VLAN Configuration.

What I want to achieve is a „Router-On-A-Stick“ configuration. Means multiple VLAN on one Port with different DHCP Server /Subnets.
I’ve already configured multiple VLANs (ID 10,20) on ether2 (DHCP not configured yet). With Static IPs it worked fine, but I can’t reach the Internet.

Any clues?
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 993
Joined: Fri Jul 28, 2017 2:53 pm

Re: Router on a Stick

Thu Sep 12, 2019 4:12 pm

Hey. What address space in a LAN network are you using for Internet access? Private ones with NAT function or global ones?
 
tdw
Member Candidate
Member Candidate
Posts: 178
Joined: Sat May 05, 2018 11:55 am

Re: Router on a Stick

Thu Sep 12, 2019 5:13 pm

Most likely the additional networks are not having NAT performed before heading for the 'WAN' interface, post the output of /export hide-sensitive after sanitising any public IPs, etc.
 
aproxx
just joined
Topic Author
Posts: 3
Joined: Thu Sep 12, 2019 11:38 am

Re: Router on a Stick

Fri Sep 13, 2019 9:04 am

Hi,

thanks for the fast reply.

the WAN side gets a 192.168.7.0/24 IP. (NAT) The MikroTik ROuter ist connected to the internet (with the default ports).

Do i need to configure NAT for the VLAN Interfaces? If so, how?

Thanks in advance....
[admin@MikroTik] > export hide-sensitive  
# sep/13/2019 07:57:24 by RouterOS 6.42.12
# software id = 04BT-G76C
#
# model = 960PGS
# serial number = AD8C0AFFD041
/interface bridge
add admin-mac=74:4D:28:AA:C8:04 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether2 name=VLAN10 vlan-id=10
add interface=ether2 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.99.200-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 comment=defconf interface=ether2 network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.99.0/24 comment=defconf gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 name=router.lan
add address=8.8.8.8 name=google
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mkx
Forum Guru
Forum Guru
Posts: 2792
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router on a Stick

Fri Sep 13, 2019 9:17 am

Your L2 VLAN setup is very far from complete (and what's done is wrong). I suggest you to read through this nice tutorial. After you're done and still have problems, come back with questions.
BR,
Metod
 
aproxx
just joined
Topic Author
Posts: 3
Joined: Thu Sep 12, 2019 11:38 am

Re: Router on a Stick

Fri Sep 13, 2019 10:06 am

Hi all,

it works!
/interface bridge
add admin-mac=74:4D:28:AA:C8:04 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether2 name=VLAN10 vlan-id=10
add interface=ether2 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.99.200-192.168.99.254
add name=POOL10 ranges=192.168.10.100-192.168.10.200
add name=POOL20 ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=POOL10 disabled=no interface=VLAN10 name=DHCP10
add address-pool=POOL20 disabled=no interface=VLAN20 name=DHCP20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 comment=defconf interface=ether2 network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.99.0/24 comment=defconf gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 name=router.lan
add address=8.8.8.8 name=google
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I've added DHCP on the VLANs and turned NAT on as well. I guess NAT was the issue (since DHCP has nothing to do with the Internetconnection with a static IP)

@mkx: Thanks for guide, but it didn't help (still a good guide for learning about VLAN)

Have a nice day guys!
 
mkx
Forum Guru
Forum Guru
Posts: 2792
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router on a Stick

Fri Sep 13, 2019 11:40 am

It still doesn't look right ... but if it works for you, fine.

Might stop working after some ROS upgrade though:
  • when an interface is member of bridge, then all the rest of configuration should go to the bridge.
    In your case, ether2 is member of bridge named "bridge", and vlan interfaces should be anchored on bridge. There's some plain (non-vlan) configuration dispersed between ether2 and bridge as well.
    If you really don't intend to use the rest of wired ports (ether3-5, sfp1) in the same "switched" network as ether2, then you should remove ether2 from bridge. Beware that doing so you might loose admin access to RB due to various reasons: bridge admin-mac is set statically, possibly to MAC of ether2 interface. If interface with same MAC address is not member of bridge any more, interesting things can happen. Also, if you remove ether2 from bridge, you'll loose untagged access to RB as a whole. Could be that currently you actually use untagged for administrative access.
  • Default SRC NAT rule should be working just fine. As the order of rules matters, you can check if the additional NAT rule really takes the traffic (check rule stats, e.g. by executing /ip firewall nat print stats ... the rule actually servicing your traffic will have considerable numbers recorded).
    Rationale: default rules use interface lists and WAN interface should be member of interface list named "WAN". Your WAN seems to be ether1 with running DHCP client and that interface was already member of WAN interface list. The same interface list concept is used both by firewall filter rules as well as NAT rules.
    What does matter is that your VLAN interfaces are not members of any interface lists (and should be members of LAN interface list by the functionality of it). So currently rule #4 from the export (last one in chain=input) blocks communication from VLANs (as compared to plain untagged traffic over ether2, which is member of bridge and bridge "interface" is member of LAN interface list).

There are other, potentially dangerous, inconsistencies in the configuration.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 21 guests